© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 3 Cisco PIX Firewall Technology and Features

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe firewall technologies. Define the three types of firewalls used to secure todays computer networks. Describe PIX Firewall technology and features.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Firewalls

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA What Is a Firewall? A firewall is a system or group of systems that manages access between two networks. Outside network DMZ network Inside network Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Firewall Technologies Firewall operations are based on one of three technologies: Packet filtering Proxy server Stateful packet filtering

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA ACL Packet Filtering Limits information into a network based on the destination and source address

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Proxy Server Requests connections between a client on the inside of the firewall and the Internet Outside network Proxy server Inside network Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Stateful Packet Filtering Limits information into a network based not only on the destination and source address, but also on the packet data content

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall Overview

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PIX FirewallWhat Is it? The Cisco PIX Firewall family delivers enterprise- class security for small-to-medium business and enterprise networks in a modular, purpose-built appliance. Some of the PIX Firewall family product highlights are as follows: Proprietary operating system Stateful inspection Protocol and application inspection User-based authentication Virtual private networking Web-based management solutions Stateful failover capabilities

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Proprietary Operating System Finesse Eliminates the risks associated with general-purpose operating systems

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Stateful InspectionASA ASA provides stateful connection security: –It tracks source and destination ports and addresses, TCP sequence numbers, and additional TCP flags. –It randomizes initial TCP sequence numbers. By default, ASA allows connections originating from hosts on inside (higher security level) interfaces. By default, ASA drops connection attempts originating from hosts on outside (lower security level) interfaces. ASA supports authentication, authorization, and accounting.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cut-Through Proxy Operation Internal/ external user IS resource 1. The user makes a request to an IS resource. 2. The PIX Firewall intercepts the connection. 3. At the application layer, the PIX Firewall prompts the user for a username and password. It then authenticates the user against a RADIUS or TACACS+ server and checks the security policy. 5. The PIX Firewall directly connects the internal or external user to the IS resource via ASA. Communication then takes place at a lower level of the OSI model. 4. The PIX Firewall initiates a connection from the PIX Firewall to the destination IS resource. Cisco Secure PIX Firewall Username and Password Required Enter username for CCO at User Name: Password: OKCancel student 3.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Virtual Private Networking B A N K Internet B A N K Site to site Remote access

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Application-Aware Inspection Protocols such as FTP, HTTP, H.323, and SQL*Net need to negotiate connections to dynamically assigned source or destination ports through the firewall. PIX Firewall inspects packets above the network layer. PIX Firewall securely opens and closes negotiated ports for legitimate client-server connections through the firewall. FTP server Client Control port 2008 Data port 2010 Data port 20 Control port 21 Data - port 2010 Port 2010 OK Data

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Web-Based Management Solutions PIX Device Manager Firewall Management Center

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Secondary: Standby PIX Firewall Primary: Active PIX Firewall Failover Failover protects the network should the primary PIX Firewall go offline. Stateful failover maintains operating state during failover. Internet Primary: Standby PIX Firewall Internet Secondary: Active PIX Firewall

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary There are three firewall technologies: packet filtering, proxy server, and stateful packet filtering. The PIX Firewall features include the following: Finesse operating system, ASA, cut-through proxy, stateful failover, VPN, Web-based management, and stateful packet filtering.